Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Lucas123 writes "California's Riverside County Superior Court's Web site is serving up document images containing SSNs and detailed medical records relating to civil cases, according to a couple of privacy advocates. All of the documents are free to anyone who knows where to look for them. 'Searches done on the court's Web site turned up various documents related to civil cases that contained sensitive information. Included were complete tax filings, medical reports pertaining to cases handled by the court, and images of checks complete with signatures as well as account and bank-routing numbers.'"

Either way, this is stuff that Epic Systems of Verona, WI has already done. Their software runs at a lot of hospitals, from the check-in desk to the little dumb terminal in the doctor's office that brings up your charts and records.

They also have a "dashboard" application where you can check your medical records and schedule appointments online. I don't know of any hospital near me that uses that app, but some hospitals advertised the online features they got from Epic on television.

Your all looking at the wrong server. (not to mention RTFA...) The article isn't talking about medical records systems or doctor/hospital systems. The abstract clearly says it is a court system serving up civil case records. Health care systems? Huh???

The server http://www.riverside.courts.ca.gov/ [ca.gov] is just the main directory for all of the court's web presence. You did notice that there aren't any personal documents there didn't you?

Microsoft sees a future in which a physician in a hospital calls up a patient records and instantly sees a dashboard of relevant information drawn from all the patient records going back many years

I thought it was hilarious - he's spinning it as Microsoft has some dastardly for FrontPage to serve up your medical records over the tubes when there are companies out there that actually earn their bread and butter doing just that.

Only YOU care if your information is made public. There is absolutely no reason for any public or private organization to give a shit, and they make that evident over and over. Until it is more cost effective for them to protect the info than to leak it they will continue to do so. And that's never going to happen.

Much better to make the company who issues credit to an impersonator responsible for the credit they issue rather than the person who matches the mystical, enchanted number (I don't know what else could possibly make a number secure) that was used for identity.

A leak would be one thing; these muppets INTENTIONALLY POSTED this stuff.
From TFA:

But the court's IT director defended the practices, saying that documents are being posted on the Web site in accordance with California laws and that finding data such as Social Security numbers is akin to "finding a needle in a haystack."

Wow.

You know, just because something can be done, doesn't mean it is necessarily to be done. This guy may want to take a look at Maryland's case search engine [state.md.us] to see an example how someone with some sense would do it. Jeebus.

It's not fair to blame the IT Director here. All the information posted online is public information. Without the site, any scumbag could go to the courthouse and access this information -- a key difference being that you would never have heard about it.

Now, I realize there's a qualitative difference between Internet accessibility and walk-in accessibility, but I do think we need to address the larger privacy concerns.

The problem is when the needles in the haystack are found they are immediately made available to everybody. There's a measure of Internet sensibility that isn't being adhered to.
When the medium changes, often the rules need to change too.

Court documents are publically accessible, yes. There are a handful of exceptions (they can be sealed by judicial order, although it is rare) and accessing the dead-tree versions is simply more time-consuming than accessing the online documents, but they're still there.In many cases, it's also possible to simply call or fax the court office and ask for the information to be sent to you, so you don't even need to poke through the information yourself.

Why stop there? French privacy laws provide for jail time under certain circumstances.

Identity theft is really pretty easy, in large part because everyone from the government to the local grocer can get away with playing fast and loose with whatever data of yours they have on hand. Fines won't stop that, especially if the payoff is larger than the fine anyway.

We'd be better off if we stopped locking up rinky-dink hop heads and replaced them with the aiders and abettors of identity thieves.

Which is why we need legislation that will fine them for releasing that information.

WTF? We're in bad shape when a "There should be a law..." post gets rated Insightful

Making a new law isn't going to help anything. It's against the law to kill people and smoke pot, but it happens all the time. Sure, the companies will pay some tiny fine as punishment, but that doesn't really solve the problem of "Your private info was just given to scumbags".

And what about when it is your government that has managed to lose it? Good luck with boycotting your tax payments...

True, boycotting won't work for the government. But, the government employees didn't get there by accident. People voted for them, or voted for the people who hired them. Somewhere up the chain, some elected official is responsible for the people who fucked up, and they should be fired, impeached, voted out of office, or otherwise removed. If losing data means a person loses their care

I think it goes beyond that. In the case of court filings, documents used in the case become public evidence, and as such, are required to be available publicly. At least, that's my understanding.... not sure how that applies to information that would normally be covered under HIPAA or similar privacy laws.This is just the tip of the iceberg of the information flood. As much as people hate the idea here, I think that there is a need for a federal ID piece that can be used to positively identify someone, wit

Yeah lets tie it in with DNA so nobody can forge it! Hell, lets just implant a tiny RFID at birth while we're at it... It's already bad enough people need to fingerprint to use a vehicle, or if you are arrested for any reason, a DNA sample is taken. Lets just start it at birth!

Those are bad ideas, because they can't be changed. That's why I didn't use them. Do you have an idea on how to solve the problem of positive ID? How to prove you are you, when lots of people are trying to impersonate you? Or do you just like to cling onto an outdated idea of privacy that didn't even work well in the Wild West?

I believe any positive ID will be used in the future to control the population. I don't like to be controlled, categorized, and treated as a number, or a marketing demographic/classification by a government that is armed to the teeth, and has shown time and time again that they believe they are above the law. Remember the term "Papers Please" shown in so many WWII movies... ah yes, papers to control people, imagine if they had DNA or what have you... Do you think a single Jew would have made it out? A pa

Two things: positive ID is already required in a number of instances. The current system is just so wide open for abuse that it's unconscionable. Furthermore, the Wild West system was completely ripe for abuse - primarily because there was no real way of knowing whether what anyone said about themselves was true.Lastly, I'd also challenge your belief that any positive ID will be used to control (in the Orwellian sense) the population. Jews snuck out because people didn't know their race when the presented f

I don't know how it is now but before 9/11 an adult could get a passport if they had two people testify that they knew the person well for 10 years.The intent was so Ma The Farmer's Wife who never had a birth certificate or driver's license could get a passport even if she'd lost her family Bible and birth records in a fire and the doctor or midwife who birthed her was also dead. She could round up a few people who knew her for a long time and get a passport.

Just like changing your name, you can have a process that lets you update your PGP key. With biometric information, that's not controllable.The point is that if someone gets a hold of your personally identifying information now, you're boned as well. Why not make the process by which that information is obtained as hard as possible?

There are plenty of services that don't need personally identifying information, but there are some that do. Encrypt information to be sent with your private PGP key, and the oth

In some courts, "public" information is routinely redacted. You have to get a court order or be someone special to see the originals.

This also applies to evidence in criminal cases too. If I defraud 10 people's bank accounts at ACME Bank, those account numbers may be redacted depending on the court and whether the accounts are still active. If I'm on trial for k1dd13 p0rn or stealing nuclear secrets you can bet the main evidence will be sealed from public view.

Just because something is public record doesn't mean it necessarily must written in block caps plastered on the nearest billboard. Some information -- even public information -- should have a gatekeeper. If it were my tax return, I think I'd want someone seeking it to have to ask the court clerk for it, and possibly, explain why.

The real issue is, most public records that deal with the government are extremely difficult to obtain, requiring repeated FOIA requests, and occasional legal action. Try to get government salary figures (which are also public information) for the morons who are posting this information, and I bet you'll have to jump through hoop after hoop.

Yet when its just some private citizen's information plastered all over the place it is no big deal because it's "public information".

Bravo to California, Bastion of Democracy...
It does raise a question though:
How do FOIA requests match up with HIPAA regulations?
FOIA generally allows you information on government happenings; HIPAA gives strict guidelines about privacy of Personal Health Information. Which takes precedence?

I'll bet HIPAA. Of course, this leak is hardly surprising, given the probability that no one of right mind would want to work for their local government much less for the very low pay and crappy job atmosphere. Their ability to attract the best and brightest is overshadowed by the inability to pay anything close to market wages. If there's any good IT people working in local government then they're probably looking for a better job, or making real money contracting special services back to the gov. It's

Courts are not HIPAA covered entities. Only health care providers, health care clearinghouses, and health plans are covered. Before you ask, a court doesn't count as a clearinghouse. In over simplified terms, a clearinghouse is a covered entity that processes information on the behalf of another covered entity.

I'm not certain, but I do believe if you disclose your personal information to the courts because of the Americans with Disabilities Act; IE, you need to have recesses every 2 hours because of a medication you need for X, that becomes HIPAA covered, doesn't it?

FOIA has some exclusions, but it doesn't matter because HIPAA is a joke.For example:I used to be a full time preventer of natural select (firefighter/paramedic) working for a city government. Under the FOIA they were supposed to release out information excluding a few tidbits like SSN, medical screening, etc. However, it was only applied when it benefited the city. If a reported wanted to inspect an employee's file, if the reporter was a city friendly one, they wouldn't remove or blank out any personal info

They say that if I am a good citizen who is following the rules, then I should have nothing to hide, and shouldn't mind a high level of governmental monitoring of my private life.Well I DO have something to hide *from criminals.*

The data that the government monitors gets stored and handled by an incompetent IT staff overseen by decision-makers who are even less competent. The level of data tracking that the government insists it is justified in doing directly harms the people being tracked, not because of

Each credit company could issue their own numbers.The removes them from the one place they are most abused.Make it a problem for the corporations to deal with.When one of the CSIDs(CreditScoringID) is stolen, it only causes issues with the Credit scoring. You don't need to worry about your whole life being tied to that one number.Since you can't get a new SSN (usually) once someone has it and can tie it to you, your whole life is comprised.

This is exactly the correct point. A SSN does tie to a single person but it shouldn't be used to authenticate that the person serving it up really is the person tied to the SSN. Real authentication needs to take place. Shoot, I'd rather have to give my fingerprint if it meant I wouldn't have my identity stolen.

Furthermore when an ID is stolen, the company that let the theif sign up for credit in someone elses name should be fined and scrutinized for further possible fraud. We need to make the companies

As an aside, with gelatin, latex, and a few common household chemicals, it is possible to make a 'glove' that will at least simulate someone else's prints. Sorry, one more biometric to toss into the toilet of history.

I'm sorry but when a 4 foot tall woman shows up to give my print I think they'll figure it out. I'm 6 feet tall and a guy. The point is to make it harder to be a criminal. Right now you don't even have to leave your house.

This is a common misconception. There are honest duplicates within the system. I'm not talking about the "undocumented worker" down the street. Duplicate SSN's are issued. You need some other information such as a name to make it a unique identifier.

There are almost 304,000,000 people in the US. If they were unique, that would mean that a third of the total possible SSNs must be used just for the current living population. Count everyone who has died since 1936

Unfortunately, all of the costs of identity fraud are borne by the consumer, while all of the benefits of quick/insecure identification are reaped by the lending industry.

Strong and secure methods of identification and verification need to make their way into the financial world, but changing the existing infrastructure is expensive, so it isn't going to happen. At least, not until some enterprising individual has their identity stolen and successfully manages to sue the lending industry for fraud...

1. Call each credit bureau and put a freeze on your credit. The credit bureaus will say they'll contact the others but they never do. You can do it anyway even if you're not a victim of identity theft but they'll charge anywhere from $10-$20 per credit bureau.

2. You are entitled to at least ONE free credit report per year and depending on your state maybe more. Federal trade Commision's site [ftc.gov] is the ONLY truly free credit report. Those other sites are trying to sell you other stuff and they're not on the

If you're really paranoid about identity theft, then go for one of the credit monitoring services run by a credit bureau. The one I've found most useful is truecredit.com, which is run by TransUnion (which, by the way, is by far the easiest credit bureau to deal with in my opinion). It costs a little more than most others ($14.95 per month) but it allows you to update your credit report from all three bureaus as often as you want (daily if you really want to) and offers online dispute filing for all three

The more you tell your life to government (and anyone really), the more it will find it's way into general knowledge. This is one of the reasons I'm against any "universal" government program. Heck, it doesn't even have to be medical records. Think back to the recent passport flap with high profile politicians. The government is not looking out for you.

Most court proceedings are a matter of public record unless a judge orders them sealed. I should be this way too because we have a legitimate interest in what is going on in our courts. That information is probably relevant to the decisions on the quality of the proceedings much of the time. Frankly as much as its unfortunate for the people and organizations that find themselves in the court rooms, its probably the right thing to do to publish those items.

This is another perfect example of the federal government not enforcing HIPAA whatsoever. Its a great standard. Like PCI, easy to read, very prescriptive, and leaves little room for interpretation. Unfortunately, because of the way it was put into effect, it will likely never be enforced.

The only fallback that people have legally is that California privacy bill that's mentioned in section 12 of PCI.

While it is unfortunate that such things as SSN's are being made public, the hard reality is that anything contained in a court record is public information.

Open access to government is a two way street, and is meant to prevent corruption and give the public a clear view what their government is doing.

On a side note, my county also publishes court records on the internet that are public information. However, it is limited to the court schedule, case#, charge, and attorney schedule.

The fact that this schedule is public information is still not a concept some people are aware of. Ive heard stories from court employees of upset people coming in and demanding that their DUI case be taken down from being publicly viewable. Unfortunately for these people, the law says otherwise.

I even have personal experience in some of the reactions people have to this publicly available information after I posted a link to the county courthouse on one of my websites. A Company called Caton Commercial [willcounty...tcourt.com] even went to far as to have their attorney draft a cease and desist letter threatening me with legal action, and demanding that I remove this linked information, and turn over my legal domains to them to stop this 'knowingly libelous' action. Although, Im not sure that they thought through how they were going to present to a judge their case that the courts own website schedule was the source of this so-called libelous information. Like every other company before that has failed to grasp the concept of the internet, all the attention this brought to the linked information was a lovely demonstration of the 'Streisand Effect'. Once again, adding more weight to the phrase 'more dollars than sense'.

I can't imagine this will last long, as it's a clear violation of federal law. I work for a court, and we ALWAYS need to redact SSN from every order (unless it's just being disclosed to that specific person). It's against state law here, but also federal. From 42 U.S.C. 405(c)(2)(C)(viii):

Social security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law enacted on or after October 1, 1990, shall be confidential, and no authorized person shall disclose any such social security account number or related record.

So I really can't imagine the court can defend this in any way at all.

Right. Have you looked at federal lien filings? Tax and court both are _required_ to include the SSN/taxpayer ID # when filing this stuff. I can walk into any county records center and pull this stuff up. Since it's digitized, I can also usually search by type of filing.

And you'll note that "pursuant to any provision of law enacted on or after October 1, 1990" portion. Generally these filings are based on law going a lot further back than that.

Lets face it, the concept of a SSN being a positive identification needs to just stop. Do I have a solution? No, but the fact that somebody can walk into a bank and open an account in my name simply by possessing My publicly available address, and a 9 digit number needs to be looked at as an absolute failure. The tin foil hat wearing crowd will object until the very end, but IMHO biometrics need to become the standard. A retina scan, is something that is not easily forged (i'm not saying its not possible

Actually I was thinking something along the lines of a chip embedded in my credit card that can only be read by inserting it in a reader, along with a cheap USB CC reader that will send the signal as a 256 bit AES encryption to any website I want to deal with. Seriously, we can build USB readers that can read 20+ card formats for a little of nothing,why not have an affordable USB card reader that lets me use a two factor authentication easily? That way unlike a tax those that don't want it or need it wouldn

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It regulates Health Insurance. It contains a Privacy Standard that regulates how Protected Health Information (PHI) may be used. A little piece of it says that your SSI# can't be used as your ID number in health insurance. There are still lots of legitimate uses for that number both in and out of health insurance.

Nothing in HIPAA has anything to do with the court system. I want court records to be public documents. I want un

IIRC, in the first few pages of HIPAA it explains that the law is all about and only about the transfer of medical information over computer networks. It's not just applicable to insurance, it also applies to information transfers between hospitals and *any* electronic transfer of patient records. I learned all this while working for a private ambulance company, where this is a big deal due to the complex billing associated with transports.

We operate with a model of a free public record for legal documents. In Texas, there was a brief move to scrub SSNs from legal documents prior to "publishing" them. Most law offices promptly informed the legislature that their law couldn't work, because you can change your name, you can pretty much change everything but your SSN.

Add to that the problem of Public Records - if you charge to access them (presumably to limit access), they're no longer public. Public Records also have all the other problems

The court put up their public files online. Some clerks forgot to blank out or scanned in the wrong papers just a few times out of the hundreds of thousands of records, and a few social security numbers got accidently released. Why isn't this expected just as a part of human error, when companies are leaking thousands at a time due to the acts of rogue database operators looking to make a buck?

I'll bet I can find more social security numbers and bank account numbers from my apartment dumpster than is on t

In a day and age where we have so much identity theft, they basically gave the thieves the identities to steal. Then the government is going to say, hey it is your problem not ours and people will spend huge amounts of money to fix this.

It is not overblown, IMHO, and the responsible people should be canned! There should be laws against this also. This includes corporations that do this. Like maybe jail time for aiding a thief!

No, they said "Theres hundreds of thousands of records in there, its not easily searchable (I.E. you have to go through each and every case opening jpgs for the information) to find an a clerical error that may give you somebody's SSN (these are also public records that you can go down to a courthouse and look up as well). There are ways that are several orders of magnitude easier to get even more of the same information, including like my above post, a dumpster.

an earthquake or tornado is not preventable at this day and age, but dumping ssn and other sensitive info out on the web is.

You have to much faith in humanity. Obviously you haven't seen the price of gas in the US, greenhouse issues and the lovely war that our oh so faithful president has gotten us into. But that is just MY opinion and I'm sure lots of people will disagree, and I usually call them dumb!

Why do we just not make the jump and make everything public?Our information is out there. It is getting leaked. It is being rampantly abused. Why not just make all of our information public?

Why note create nice, neat databases with comfortable user interfaces that can query all of your, currently, personal information? And apply this to *every* one and *every* organization. No clauses for 'national security'. Everyone gets to know everything about everyone whenever they want.

It's funny how everybody here gripes and moans about freedom of information and whatnot, but when something is provided you just want to complain about that.This is an example of a government agency trying to make public information available to the public. All of the cases shown are civil cases which have been filed by persons in the court. All of the information was given to the court by the persons involved because of the the civil cases they started. The information contained within the documents is pub

Out in the burbs of Boston, a slightly different wrinkle on "identity theft." An honest-to-God ANALOG version.

Seems a local bank (one that apparently doesn't scan in all their checks before shipping them out to a check-processing house) gathers up all the negotiable instruments (checks, mostly), puts them in a pouch and gives them to a bonded courier.

On one particular day, the courier stopped off somewhere during the not-so-swift completion of his appointed rounds. And, while s/he was out